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Abstract 

This article describes a formal strategy of geometric complexity theory (GCT) to resolve 
the self referential paradox in the P vs. NP and related problems. The strategy, called the 
flip, is to go for explicit proofs of these problems. By an explicit proof we mean a proof 
that constructs proof certificates of hardness that are easy to verify, construct and decode. 
The main result in this paper says that (1) any proof of the arithmetic implication of the 
P vs. NP conjecture is close to an explicit proof in the sense that it can be transformed 
into an explicit proof by proving in addition that arithmetic circuit identity testing can be 
derandomized in a blackbox fashion, and (2) stronger forms of these arithmetic hardness and 
derandomization conjectures together imply a polynomial time algorithm for a formidable 
explicit construction problem in algebraic geometry. This may explain why these conjectures, 
which look so elementary at the surface, have turned out to be so hard. 

1 Introduction 

Geometric complexity theory (GCT) is an approach to fundamental hardness problems in com- 
plexity theory via algebraic geometry and representation theory suggested in a series of articles 
|22|-|29|. which we call GCT1-8. In this article we describe and justify a formal defining strat- 
egy of GCT, called the flip, to resolve the self referential paradox in the P vs. NP and related 
problems. This paradox refers to the question that is often asked: namely, since the P vs. NP 
problem is a universal statement about mathematics that says that discovery is hard, why could 
it not preclude its own proof and hence be independent of the axioms of set theory? Resolution 
of this self referential paradox is generally regarded as the root difficulty in this problem; cf. the 
survey [2] and the references therein. 

The flip strategy of GCT to resolve the self referential paradox is to go for an explicit proof. 
By an explicit proof of the nonuniform P vs. NP problem (i.e., NP P/poly conjecture) we 
essentially mean a proof that shows existence of proof certificates for hardness of an NP-complete 
function f(X) = f{x\, . . . ,x n ), also called obstructions (to efficient computation of f(X)), that 
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are short (of poly(n) bitsize), easy to verify and construct (in poly(n) time), and easy to decode. 
By easy to decode we mean that, given n, small m = poly(n), and a short obstruction s, a 
small set S n:m (s) = {Xi, . . . , X r }, r = poly(n), of inputs can be constructed in poly(n) time 
such that, for every small circuit C of size < m, S n)m (s) contains a counterexample Xq such 
that f(Xc) 7^ C(Xc). Here C(X) denotes the function computed by C. A proof technique 
that yields an explicit proof of the nonuniform P vs. NP problem is called a flip (from hard 
to easy), because in essence it reduces the original hardness (lower bound) problem to easiness 
(upper bound) problems: namely, to showing that verification, construction and decoding of 
proof certificates of hardness as per that technique are easy, i.e., belong to the complexity class 
P. In what sense this strategy amounts to an explicit resolution of the self referential paradox 
is explained in Section 13.31 See Section [3] for the definition of the flip in the arithmetic setting. 

The main results in this article provide a posteriori justification for this flip strategy. 
Specifically, it is shown (cf. Flip Theorems 14.21 and I4.3f) that any proof of the arithmetic nonuni- 
form version of the P vs. NP conjecture in GCT1 (which is a formal weaker implication of 
the boolean NP <£. P/poly conjecture) can be converted into an explicit proof by proving in 
addition that circuit identity testing can be derandomized in a blackbox fashion. This standard 
derandomization assumption [321 [T2l [13] is generally believed to be easier than the target lower 
bound. Hence, in this sense, any proof of the arithmetic P vs. NP conjecture is close to an 
explicit proof. It is also shown (cf. Flip Theorem 19. 2\\ that stronger forms of these arithmetic 
hardness and derandomization conjectures together imply a polynomial time algorithm for a 
formidable explicit construction problem in algebraic geometry. This may explain why these 
conjectures in complexity theory, which look so elementary at the surface, have turned out to 
be so hard. 

A starting point for the investigation in this article was an analogous result (cf. Flip 
Lemma 14. If) for (weak) arithmetic hardness of the permanent that follows easily from the 
hardness vs. randomness principle [121 [13] and downward self reducibility of the permanent. 
Specifically, it follows by derandomizing the co-RP algorithm in [12] for testing if a given arith- 
metic circuit computes the permanent using its downward self reducibility. But self-reducibility 
does not seem to be as effective in the context of the P vs. NP problem, as has already been 
observed in other contexts in complexity theory (e.g. average vs. worst case hardness [HE]). 
The best earlier results in the context of the P vs. NP problem were proved in [31 [7J. Us- 
ing downward self reducibility, the article [3] gives, assuming NP % P/poly, a probabilistic 
polynomial time algorithm for finding, given any small circuit C, a counterexample on which it 
differs from SAT. But this algorithm cannot efficiently produce a small set (a proof certificate 
of hardness) that contains a counterexample against every small circuit. The article [7J gives 
under the same assumption a probabilistic polynomial time algorithm with an access to the SAT 
oracle for computing a small set of satisfiable formulae that contains a counterexample against 
every small circuit claiming to compute SAT. The main difficulty in the context of the P vs. 
NP problem is to accomplish the same task in polynomial time under reasonable complexity 

1 This strategy was formulated in a rough form after the completion of GCT1 and 2, when it was realized that 
these initial papers do not address the self referential paradox. It was announced briefly without any explanations 
in [20] ■ The articles GCT3-5 investigate some basic problems in representation theory motivated by the flip, and 
the main result of GCT6, based on GCT1-5 and other results in algebraic geometry and representation theory, 
provides an approach to implement the flip in the arithmetic setting wherein the underlying field of computation 
has characteristic zero. 



2 



theoretic assumptions without any access to the SAT oracle. This difficulty is overcome here in 
the setting of the arithmetic P vs. NP conjecture using the hardness vs. randomness principle 
|32 t ll2 [ [T5] in conjunction with characterization by symmetries of a certain exceptional function 
associated with the complexity class NP in GCT1 (cf. Section [5|). Characterization by symme- 
tries is a well known phenomenon in invariant theory on which GCT is based. Its crucial role 
here suggests that it may find more applications in complexity theory in future. 

The flip lemma (Lemma 14. ip for the weak arithmetic hardness of the permanent also does 
not have any direct implications in algebraic geometry, unlike the stronger flip theorem (Theo- 
rem EO}. This stronger theorem is proved by combining the hardness vs. randomness principle 
and characterization by symmetries with classical algebraic geometry. 

There is also a flip theorem in the boolean setting (Flip Theorem ll0.5p for a stronger average 
case form of the boolean NP <£. P/poly conjecture based on the characterization by symmetries. 
The main ingradient here is just the formulation of this conjecture. The rest follows easily from 
the work |32^ [T2] on derandomization of BPP. All the nonuniform results in this article also have 
analogues in the uniform setting. 

In view of all these results, the flip strategy of GCT to go for explicit proofs of the P vs. 
NP and related conjectures seems quite natural. 

The rest of this article is organized as follows. Section[2]describes the arithmetic version of the 
P vs. NP problem defined in GCT1. Section [3] describes the formal flip strategy for resolution 
of the self referential paradox via explicit proofs. The flip theorems in various arithmetic settings 
are stated in Section [4] and proved in Sections [Mil The implication in algebraic geometry is 
pointed out in Section [9l The flip theorem in the boolean setting is stated in Section ITTJl 

No familiarity with algebraic geometry is assumed in this paper. The required facts from 
classical algebraic geometry are only used as blackboxes. 

2 Arithmetic versions of the P vs. NP and related problems 

In this section we recall the arithmetic version of the P vs. NP problem defined in GCT1 and 
also arithmetic versions of the related problems. 

2.1 Arithmetic hardness of the permanent 

By the arithmetic hardness conjecture for the permanent, we mean the problem of showing that 
the permanent of an n x n complex matrix X cannot be computed by any arithmetic circuit 
over C of m = poly(n) size, where by the size of the circuit we mean the total number of nodes 
in it. By the weak arithmetic hardness conjecture, we mean the problem of showing that the 
permanent of an n x n integer matrix X cannot be computed by any arithmetic circuit (over 
Z or Q) of m = poly(n) total bit size, where by the total bit size of the circuit we mean the 
total number of nodes in it plus the the total bit size of all constants in the circuit. Clearly, the 
weak arithmetic conjecture is implied by the arithmetic conjecture. By the strong arithmetic 
conjecture [cf. GCT1], we mean the problem of showing that perm(X), the permanent of an 
nxn variable matrix X, cannot be approximated infinitesimally closely by an arithmetic circuit 
over C of m = poly(n) size. Here by infinitesimally close approximation, we mean that all 
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coefficients of the polynomial computed by a circuit can be made infinitesimally close to that of 
the permanent. Clearly, the strong arithmetic conjecture implies the arithmetic conjecture. 

By the arithmetic permanent vs. determinant problem [36], we mean the problem of showing 
that perm(X) cannot be represented linearly as det(V), the determinant of an m x m matrix 
Y, if m = poly(n), or more generally, m = 2 log n , for a fixed constant a > 0, and n — > oo; the 
best known lower bound on m at present is quadratic [19]. Here, by a linear representation, 
we mean that the entries of Y are (possibly nonhomogeneous) linear functions (over C) of the 
entries of X. The strong arithmetic version of this problem [GCT1] is to show that perm(X) 
cannot be approximately infinitesimally closely by an expression of the form det(y) as above. 
Clearly, the strong arithmetic version implies that arithmetic version. The current best lower 
bound in the strong arithmetic setting is quadratic. It is proved in [14] using GCT, and provides 
the first concrete lower bound application of GCT in the context of the permanent vs. deter- 
minant problem. The weak arithmetic version of this problem is to show that perm(X) cannot 
be represented linearly as det(Y), where the entries of Y are possibly nonhomogeneous linear 
functions over Z and the total bit size of the specification of Y is poly(n), or more generally, 
0(2 logCln ), for a fixed constant a > 0. Clearly the weak arithmetic version is implied by the 
arithmetic version. 

A priori, it is not at all clear that the strong arithmetic conjectures above are actually 
stronger than the arithmetic conjectures. This is expected because there are functions that 
can be approximated infinitesimally closely by small circuits (of small depth) but conjecturally 
cannot be computed by small circuits (of small depth); cf. Section 4.2 in GCT1. 

2.2 Arithmetic P vs. NP problem 

Next we turn to the arithmetic version of the P vs. NP problem defined in GCT1. Towards 
that end, we first associate with the complexity class NP a certain integral function E(X) that 
is characterized by its symmetries (cf. Section [5]) like the permanent function associated with 
the complexity class if P. 

Take a set {X? |1 < j < k, 1 < i < m} of m-dimensional vector variables, for some fixed 
constant k > 3. Here each Xf is an m-vector. So there are km vector variables overall. Let 
X be the m x km variable matrix whose columns consist of these km variable vectors. For 
any function a : {1, . . . , m} — > {1, . . . , k}, let det CT (X) denote the determinant of the matrix X a 
whose i-th column is X° . Define E{X) = Y[ad-et a (X) where a ranges over all such functions. 
Clearly E(X) is well defined over any base field F. Let n = km 2 be the total number entries in 
X. 

The ultimate goal of GCT is: 

Conjecture 2.1 (The stronger form of the NP % P/poly conjecture) Let the base field 
F = F p , p = q l , q = 0{poly(n)) a prime and I = n a , for a fixed constant a > 1. Then 
E(X) r , for any < r < p, cannot be computed by an arithmetic circuit over F p of poly(n) size. 

Here the rank / of F p is required to be large so that the size of F p is much larger than 
the degree mk m of E(X). Computation of E(X) has been conjectured to be hard in this case 
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because to decide whether E(X) is zero over Z is known to be iVP-complete (cf. page 451 in 

ma). 



Proposition 2.2 (cf. Section^) Conjecture \2. 1\ implies NP $Z P/poly. 

An intermediate goal is: 
Conjecture 2.3 [cf. GCT1] 

(a) [The (nonuniform) arithmetic P vs NP problem] Suppose the base field (or ring) F = Q or 
C (or Z). Then E(X) cannot be computed by an arithmetic circuit of poly(n) size over F. 

(b) [The weak (nonuniform) arithmetic P vs. NP problem] E(X) (over Z) cannot be computed 
by an arithmetic circuit over Z of total bit size O{poly{n)). 

(c) [The strong (nonuniform) arithmetic P vs. NP problem] E(X) cannot be approximated 
infinitesimally closely by an arithmetic circuit (over C) of size poly(n). 

Here (b) over Z is a weaker implication of Conjecture 12.11 for E(X) over F p . It is also implied 
by the usual NP <J- P/poly conjecture since, as already remarked, the problem of deciding if 
E(X) = over Q or Z is NP-complete |10j . Furthermore, (b) is a weaker implication of (a), 
because in (a) there is no restriction on the bitlengths of the integer constants in the circuit 
computing E(X). Only the total number of nodes in the circuit needs to be 0(poly(n)). Whereas 
in (b) the total number of nodes as well as the total bit size of the constants in the circuit need 
to be 0(poly(n)). 

3 The flip and explicit proofs 

In this section we describe the formal flip strategy towards the uniform or nonuniform P vs. 
NP and related problems in the boolean as well as arithmetic settings. 

First let us consider the nonuniform boolean setting. Fix an ./VP-complete function f{X) = 
say SAT. The goal of the nonuniform P vs. NP problem (i.e., NP % P/poly 
conjecture) is to show that there does not exist a small circuit C of size m = poly(re) that 
computes f(X), n — > oo. Equivalently, the goal is to prove: 

(HOH: Hard Obstruction Hypothesis): For every large enough n, and m = poly(n), there 
exists a trivial obstruction (i.e. a "proof- certificate" of hardness) to the efficient computation 
of f(X). Here by a trivial obstruction we mean a table that lists for every small circuit C a 
counterexample X such that f(X) ^ C(X), where C(X) denotes the function computed by 
C{X). 

The number of rows of this table is equal to the number of circuits of size m = poly(ra). Thus 
the size of this table is exponential; i.e., 2°(P°^^ n ^. The time to verify whether a given table 
is a trivial obstruction is also exponential, and so is the time of the obvious algorithm to decide 
if such a table exists for given n and m, and to construct one if it exists. From the complexity 
theoretic viewpoint, this is a hard (inefficient) task. So we call this trivial, brute force strategy 
for proving the nonuniform P vs. NP conjecture, based on existence of trivial obstructions, 
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a hard strategy-it is really just a restatement of the original problem. Hence, the terminology 
Hard Obstruction Hypothesis. 

Any proof strategy for the P vs. NP problem has to answer the following question: 

Question 3.1 In what sense is the proof strategy fundamentally different from the trivial, brute 
force strategy above and not just an equivalent reformulation of the original problem? That is, 
in what sense are the proof certificates of hardness (obstructions) of this proof strategy funda- 
mentally better than the trivial obstructions above? 

Until this question is answered, however sophisticated a proof strategy may be, it cannot be 
considered to be more than a restatement or an equivalent reformulation of the original problem. 

The most obvious and natural abstract strategy that is fundamentally better than the trivial 
strategy is suggested by the P vs. NP problem itself. Before we define it, let us first see what 
is wrong with the trivial obstruction from the complexity-theoretic point of view. That is 
quite clear. First, it is long, i.e., its description takes exponential space. Second, it is hard to 
verify (and also construct); i.e., it takes exponential time. Since NP is the class of problems 
with "proof-certificates" that are short (of polynomial-size) and easy to verify (in polynomial- 
time), this then leads to the following strategy for proving the nonuniform P ^ NP conjecture, 
based on proof certificates (obstructions) that are short, and easy to verify (and also easy to 
construct). We call this strategy the flip: from the hard (exponential time verifiable trivial 
obstructions) to the "easy" (polynomial time verifiable/constructible new obstructions), and 
from the nonexistence (lower bound problem) to the existence (upper bound problem) — existence 
of an efficient algorithm to verify and construct an obstruction. 

Formally, we say that a technique for proving the nonuniform P ^ NP conjecture (using the 
function f{X)) is a flip if there exists a family O — U mjn 

Cn,m of bit strings called obstructions 
(or obstruction labels), which serve as proof certificates of hardness of f(X), having the following 
Flip properties F0-F4. 

FO [Short]: The set O n>m is nonempty and contains a short obstruction string s if m is small, 
i.e., m = 0(poly(n)), or more generally m = 0(2 log n ), a > 1 a fixed constant. Here short 
means the bitlength (s) of s is poly(n, m). This is poly(ra) if m = poly(ra). 

To state Fl, we define a small global obstruction set S n ^ m to efficient computation of f(X), 
for given n and m, to be a small set {X±, . . . ,Xi}, I = poly(n, m), of inputs such that, for any 
circuit C of size < m, 5 n , m contains a counterexample Xq = Xj, for some j < I, such that 
f(X c ) + C(X C ). Then: 

Fl [Easy to decode]: Each bit string s € O n ^ m , m small and s short, denotes a small 
global obstruction set S n:Tn (s) to efficient computation of f{X) such that: (a) given s,n and 
m, S n>m (s) can be computed in poly((s), n, m) time-in particular, if s is short, S n)m (s) can 
be computed in poly(n,m) time-, and (b) given s,n, m and any circuit C of size < m, a set 
S n ,m,c{s) ^ S n:m (s) of 0(1) size can be computed in poly((s), n, m) time such that S nt m t c(s) 
contains some counterexample Xq such that f{Xc) 7^ C{Xq)- A stronger form of (b) is (b'): 
given s, n, m and C, a counterexample Xq € S n ^ m {s) as above can be computed in poly((s), n, m) 
time (we do not consider it in this paper). 

F2 [Rich]: For every n and m = poly(n), O n ^ m contains at least 2 n( - m * > pairwise disjoint 
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obstructions, each of poly(n, m) bitlength. Here we say that two obstructions s, s' € ni m are 
disjoint if S n;m (s) and S n>m (s') are disjoint. 

F3 [Easy to verify]: Given n, m and a string s, whether s is a valid obstruction string for n 
and m-i.e., whether s € O nim -can be verified in poly(n, (s),m) time. In particular, this time is 
poly(n) when (s) and m are poly{n). 

F4 [Easy to construct] : For each n and m = poly(n) a valid obstruction string s ntm G O 

run 

can be constructed in poly(re, m) = poly(n) time. 

This finishes the description of FO-4 defining a flip. 

We say that a proof of the NP % P/poly conjecture (using f(X)) is extremely explicit if it 
proves existence of an obstruction family O satisfying FO-4. We have defined explicitness in the 
most extreme form here, because we wish to prove the flip results later (Theorems 14.31 and !9.2p in 
a strongest possible form to indicate what is eventually possible. One may also consider weaker 
forms of explicitness (as we do in GCT) by relaxing the conditions above appropriately. We do 
not define them here since they are not used in this paper. Hence, in this paper, whenever we 
say explicit, we mean extremely explicit. 

3.1 Uniform setting 

Now let us consider the uniform setting. We say that a technique for proving the uniform 
P ^ NP conjecture (using the function f{X)) is a (uniform) flip, and the resulting proof explicit, 
if there exists a family O = U mtn O ntm of bit strings called obstructions (or obstruction labels), 
which serve as proof certificates of hardness of f(X), satisfying the Uniform Flip properties 
UF0-UF4, which are obtained from F0-F4 by simply replacing the circuits in their definitions by 
uniform circuits. Note that UF1 (b) and UF4 together imply "efficient diagonalization within 
O(l) factor": given n,m = poly(n) and any algorithm C that works within m time on inputs of 
size n, a set 5 n ,m,c of O(l) size can be computed in poly(ra, m) time such that <SVi,m.c contains 
some counterexample Xq such that f(Xc) ^ C(Xc)- 

3.2 Arithmetic setting 

We can similarly define the flip and explicit proofs for the arithmetic P vs. NP problem 
(Conjecture 12. 3p letting E(X) in Section [2] play the role of f(X). 

In the weak arithmetic setting, we replace boolean circuits of bit size < m by arithmetic 
circuits of total bit size < m in all definitions. 

In the arithmetic setting, we replace boolean circuits of bit size < m by arithmetic circuits 
of size (not bit size) < m in all definitions. The obstructions in O n ^ m are now meant to be 
against all arithmetic circuits of size < m. The running time bounds in all the definitions are 
the same as before except that the running time of the decoding algorithm in Fl (b) is meant 
to be poly(n, m, (s)), assuming unit-cost access to the circuit C as an oracle; the actual cost 
of evaluating C can be much larger than m now since there is no bound on the sizes of the 
constants in C. In the arithmetic setting we will mainly be interested in explicit proofs that 
have the following additional geometric property G. 

To define it, we need some notation. For given s G n ,, m , let S n! m(s) = {Xi, . . . ,Xi}, 
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I = poly(ra, to), denote the small glbal obstruction set as in Fl (a). Let V denote the space of 
polynomial functions in X of degree < 2 m . Thus the polynomial function C(X) computed by any 
arithmetic circuit C of size < m belongs to V. Let S = S nim = {C(X)} C V, where C ranges 
over all such circuits. The function E(X) also belongs to V assuming that 2 m > deg(E(X)). 
Let ip s : V — > C l be the linear map such that, for any g(X) S V and any i < I, 

A(g(X)h = g(Xi). 

In other words, ip s (g(X)) is simply the l-tuple of evaluations of g(X) at various X^s, and 
ip s (g(X))i denotes the i-th entry in this tuple. Clearly ip s (E(X)) ^ S (S) by the definition of an 
obstruction. We call ip s an explicit linear separator associated with s. The geometric property 
G mentioned above is as follows. 

G: The point ip s {E(X)) does not belong to the closure of Vs(^n,m) (in the usual complex 
topology) for any s G O n ,m- 

The motivation here is as follows. In GCT we are interested in showing existence of an 
obstruction using algebro-geometric techniques. If tp s (E(X)) belongs to the closure of ip s (^) 
then any polynomial function that vanishes on ^(S) will also vanish on i/j(E(X)). Hence no 
algebro-geometric technique will be able to distinguish ip s {E(X)) from tp s (Yi). The property G 
is meant to rule out such pathological geometric behaviour and ensure that the separator ip s is 
good geometrically. 

The flip in the strong arithmetic setting is defined by making the following change in the 
definitions of FO-4 and G in the arithmetic seting: replace a circuit of size < m (or rather the 
function computed by it) everywhere by a function that can be approximated infinitesimally 
closely by circuits of size < m. 

We can similarly define the flip and an explicit proof for the various arithmetic versions 
of the permanent vs. determinant problem, replacing a circuit by a linear (determinantal) 
representation. We can also define these notions for other lower bound problems in complexity 
theory such as the P vs. NC problem. 

3.3 Self-referential paradox 

We now explain in what sense implementation of the flip amounts to explicit resolution of the 
self referential paradox, and why this is such a formidable challenge. 

Towards this end, let us examine the properties F above more closely. For an obstruction 
s € Cn,m 5 let S n>m (s) denote the corresponding global obstruction set in Fl (a) that can be 
computed in polynomial time. To simplify the argument, let us replace Fl (b) by (b)'. The 
decoding algorithm in (b)' gives in polynomial time a counterexample Xc £ S ntm (s) for every 
small circuit C of size < m. Let S nm (s) denote the trivial obstruction of exponential size that 
lists for every small C this Xc- Then S n ^ m {s) can be thought of as a polynomial size encoding 
(i.e., information theoretic compression) of the trivial obstruction S n , m (s).To verify a given row 
of S nim (s), we have to check if f(Xc) ^ C(Xc) for the C corresponding to that row. For general 
Xc, this cannot be done in polynomial time, assuming P ^ NP, since / is iVP-complete. And 
yet F3 says that whether s is a valid obstruction, i.e., whether each of the exponentially many 
rows of S ntm (s) specifies a counterexample, can be verified in polynomial time. At the surface, 
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this may seem impossible. It may seem as if to prove P ^ NP, we are trying to prove P = NP. 
This is why implementation of the flip is such a formidable challenge. 

4 Main results 

That leads one to ask: why should we then go for explicit proofs for the nonuniform P 7^ NP 
and related conjectures when just proving existence of some obstructions even nonconstructively 
suffices in principle? The reason is provided by the following results (Theorems 14.21 and I4.3|) 
which say that any proof of the arithmetic nonuniform P vs. NP conjecture (Conjecture 12. 3p 
can converted into an explicit proof by proving in addition that arithmetic circuit identity testing 
can be derandomized in a blackbox fashion. This standard derandomization assumption |12| [T3] 
is generally regarded as easier than the target lower bound. Hence, in this sense, any proof of 
the arithmetic P vs. NP conjecture is close to an explicit proof. 

4.1 Weak arithmetic setting 

We begin with a preliminary lemma in the context of the weak arithmetic hardness of the 
permanent motivation. 

Lemma 4.1 (Flip, nonuniform weak arithmetic) Assume the weak arithmetic hardness 
conjecture for the permanent: specifically, that the permanent of an n x n integer matrix X 
cannot be computed by any arithmetic circuit (over Q) of m = poly(n) total bit size. Suppose 
also that the complexity class E (consisting of the problems that can be solved in exponential 
time) does not have subexponential size circuits (or less stringently, that black box polynomial 
identity testing f7j 1 13f can be derandomized; cf. Section \7.J^ - Then: 

(1) For every n and m = poly(n), it is possible to compute in poly(n,m) = poly(n) time a small 
set S n , m = {X\, . . . , Xi}, I = poly(n, m) = poly{n), of n x n integer matrices such that for every 
arithmetic circuit C of total bit size < m, S nm contains a matrix Xq which is a counter example 
against C, i.e, such that perm(Xc) is not equal to the value C(Xq) computed by the circuit. 
The set S njm is thus a small global obstruction set of poly(n, m) = poly(n) size against all small 
circuits of total bit size < m. 

(2) : Furthermore, assuming a slight strengthening of the assumption that E does not have subex- 
ponential size circuits ( Conjecture \ 7. 2\ given later), or less stringently, that black box polynomial 
identity testing can be derandomized (Section \ r I.J$ , weak arithmetic hardness of the permanent 
has an explicit proof. Specifically, there exists, for every n and m = poly(n), a set O n>m of 
obstructions (bit strings) satisfying FO-F4. 

(3) Similar result holds for the weak arithmetic form of the permanent vs. determinant problem 
136)/ overQ, replacing the second assumption in (1) and (2) by its weaker version-derandomization 
of symbolic determinant identity testing f73| /. 

Lemma 14.11 follows (cf. Section IT. If) from the hardness vs. randomness principle [121. [T3] in 
conjunction with characterization of the permanent by its symmetries (cf. Section [5|). A slightly 
weaker form of Lemma 14. II (everything therein except Fl (b)) follows easily (cf. Section \7. 1|) by 
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derandomizing [32\ [T2] the co-RP algorithm in [13] for testing if a given arithmetic circuit C 
computes the permanent using its downward self-reducibility. But we cannot prove an analogous 
result in the context of the P vs. NP problem using self reducibility alone. Using downward 
self reducibility, the article [3] gives, assuming NP % P/poly, a probabilistic polynomial time 
algorithm for finding, given any small circuit C, a counterexample on which it differs from SAT; 
but this algorithm cannot efficiently produce a small global obstruction set against all small 
circuits. The related article [7] shows under the same assumption that there exists a small 
global obstruction set of satisfiable formulae which contains, for every small circuit C, a counter 
example on which it differs from SAT. But the algorithm in [7] for finding this set works in 
probabilistic polynomial time assuming access to the SAT oracle. Getting rid of this access to 
the SAT oracle is the main problem in the context of the NP % P/poly conjecture. It is solved 
in the weak arithmetic setting in the following result. 

Theorem 4.2 (Flip, nonuniform weak arithmetic) Result analogous to the one in Lemma \4-1\ 

also holds for the weak arithmetic nonuniform P vs. NP problem (cf. Conjecture \2.3\ (a)) with 
the integral function E(X) defined in Section® playing the role of the permanent in Lemma \4-1\ 

This is proved (cf. Section [7J by combining the hardess vs. randomness principle \32\ PT2] 
with the fact [GCT1] that the function E(X) is also characterized by its symmetries just like 
the permanent (cf. Section [5j). 

4.2 Arithmetic setting 

We now turn to the arithmetic setting. 

Theorem 4.3 (Flip, nonuniform arithmetic) (a) Assume the strong arithmetic hardness 
conjecture for the permanent, and the associated strong derandomization hypothesis (defined in 
Section \8.1\) . Then the strong arithmetic hardness conjecture for the permanent has an explicit 
proof having the properties FO-4 and G. If we only assume arithmetic hardness conjecture for 
the permanent, and the associated derandomization hypothesis (defined in Section [8A\) , then the 
arithmetic hardness conjecture for the permanent has an explicit proof having the properties FO-4 
(but G cannot be guaranteed). 

(b) Similar results holds for the strong arithmetic P vs. NP and permanent vs. determinant 
problems (cf. Section^. 

This is proved in Section [8] using the the hardness vs. randomness principle and the char- 
acterization by symmetries (to prove the properties FO-4) in conjunction with some classical 
algebraic geometry (to prove the property G). 

Unlike Lemma 14.11 and Theorem 14.21 Theorem 14.31 has a direct implication in algebraic 
geometry. Specifically, it implies (cf. Theorem 19. 2p that solutions to the strong arithmetic 
hardness and derandomization conjectures under consideration will lead to polynomial time 
algorithms for really formidable explicit construction problems in algebraic geometry. 

The obstruction family O in Lemma 14.1} or Theorem 14.21 or 14.31 does not depend on the 
proof technique at all. This obstruction family is of no use in actually proving hardness of the 
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permanent or E(X) since the proof of its existence assumes this hardness. The challenge in 
the implementation of the flip is to prove existence of an alternative family O of obstructions 
having the flip properties without resorting to any hardness assumptions. The main result of 
GCT, proved in GCT6, extending the investigation in GCT1-5, gives an approach to implement 
the flip for the arithmetic form of the P vs. NP problem (Conjecture 12. 3p and the permanent 
vs. determinant problem. 

A flip theorem like the one above is meaningful only if the hardness conjecture under con- 
sideration is harder than the additional derandomization conjecture assumed in its statement. 
Otherwise, it will really be talking about the difficulty of this additional derandomization con- 
jecture. Thus the flip Theorem 14.31 does not say anything in the context of the quadratic lower 
bound pi|| in the permanent vs. determinant problem. Indeed, the known proof in |19j for this 
quadratic lower bound is far from explicit. Here the (analogous) flip theorem will talk about 
the difficulty of the derandomization conjecture. 

4.3 Boolean setting 

Analogue of Theorem 14.21 also holds in the boolean setting for a stronger average case form of 
the usual (boolean) NP <£. P/poly conjecture based on the characterization by symmetries; cf. 
Section [lOl The main new ingradient here is just formulation of this conjecture. The rest follows 
easily from the work |12j on derandomization of BPP. 

4.4 Uniform setting 

The following results follow by uniformizing the proofs of Lemma 14.11 and Theorem 14.21 

Lemma 4.4 (Flip, uniform) Assume that the permanent of an n x n integer matrix cannot 
be computed by a uniform circuit of m = poly(n) bit size and that black box polynomial identity 
testing can be derandomized ( Section \ 7. 4\ ) -this is a uniform assumption. Then the uniform hard- 
ness conjecture under consideration has an explicit proof satisfying UFO-4; this, in particular, 
implies efficient diagonalization within 0(1) factor. 

Theorem 4.5 (Flip, uniform) Similar result holds for the weak uniform arithmetic hardness 
ofE(X). 

Analogous results also hold in the arithmetic and strong arithmetic settings with appropriate 
definition of uniformity. 

5 Characterization by symmetries 

We now describe the phenomenon of characterization by symmetries on which the proof of the 
flip lemma and theorems are based. 
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5.1 Permanent vs. determinant problem 

In the context of the permanent vs. determinant problem, this phenomenon is that the perma- 
nent and determinant, the functions that are complete and almost complete for the complexity 
classes j^P and NC, respectively, are exceptional, by which we mean they are characterized by 
their symmetries in the following sense. 

Let Y be an m x m variable matrix. Then by classical representation theory [8] det(Y) is 
the unique nonzero polynomial, up to a constant multiple, in the variable entries of Y such 
that: 

(D): (1) det(AY*B) = det(Y), for any A,B € SL m (C), where Y* = Y or Y\ and (2) 
det(AY) = A m det(y) for any A € C. Thus det(V) is characterized by its symmetries, and 
hence, is exceptional. We refer to this characteristic property of the determinant as property 
(D) henceforth. 

Similarly, let X be an n x n variable matrix. Then by classical representation theory again 
[17j perm(X) is the unique nonzero polynomial, up to a constant multiple, in the variable entries 
Xij of X such that for any diagonal or permutation matrices A, B, 

(P): perm(AX*B) = p(A)perm(X)p(B) , 

where X* = X or X t , and p(A) is defined to be the product of diagonal entries, if A is 
diagonal, and one if A is a permutation matrix, p(B) being similar. Thus perm(X) is also char- 
acterized by its symmetries, and hence, is exceptional. We refer to this characteristic property 
of the permanent as property (P) henceforth. In the proof of Lemma 14.11 only the property 
(P) is used. However, the property (D) is needed in the GCT approach to the permanent vs. 
determinant problem; see the overview [21| . 

For convenience, we now recall the elementary proof of property (P) [T7] , the proof of property 
(D) being similar. Let f(X) be any polynomial with property (P). Letting A and B in (P) be 
diagonal matrices, it easily follows that f{X) has the same total degree as perm(X), and also 
the same total degree (one) in the variables of any fixed row or column of X. This means that 
each monomial of f{X) contains precisely one variable (with degree one) from each row and 
column of X. Thus it corresponds to a permutation of n symbols. Furthermore, letting A and 
B in (P) be permutation matrices, it follows that the coefficients of all monomials are the same. 
Hence f(X) is a constant multiple of perm(X). This proves property (P). 

5.2 Arithmetic P vs. NP problem 

The function E{X) (cf. Section [2]) which plays the role of the permanent in the P vs. NP 
problem is also characterized by its symmetries (Theorem 15. 1|) . 

To state the result, we follow the same notation as in Section 12. 2[ Let K be the wreath 
product of the symmetric group Sk on k letters and the alternating group A m on m letters. It 
acts on X by permuting its columns in the obvious way. We call X ao , where o~o(i) = 1 f° r au h 
the primary submatrix of X, and det ao (X) = det(X CT0 ) the primary minor of X. 

The following is a strengthening of Proposition 7.2 in GCT1. 
Theorem 5.1 Let the base field F be of characteristic zero, say Q or C. Then: 
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(a) E(X) is the only nonzero polynomial, up to a constant multiple, in the variable entries of 
X such that 

(E): 

El: for any A G GL n (C) and any B eK, E(AXB) = (det(A)) fcm E(X). 

E2: (1) E(X) = for any X with singular primary minor, or less stringently, (2) E(X) = for 
any X whose primary minor has a unit (re — 1) x (re — 1) matrix as its top-left (re — 1) x (re — 1) 
minor and zeros in the bottom row. 

(b) Let e{X) be any integral nonzero polynomial satisfying E2 and the following variant of El: 
El ': for any A G SL n (C) and any B G K, e(AXB) = e{X). 

Then e(X) can be written as E(X)(^T a a{a)g{a)), a{a) G C, where a ranges over monomials 
in the m X m minors of X, and 

g(a) = Y, a ( XB )- 
BeK 

We refer to the characterization of E(X) in characteristic zero given by this result as property 
(E) henceforth. 

Proof: 

(a) Let f(X) be any polynomial over Q or C with property (E). It is easy to see that El and 
E2 (2) together imply E2 (1). Hence, let us assume that f(X) has properties El and E2 (1). 

By E2 (1), f(X) = if the primary minor of X is singular. Hence it easily follows from 
Hilbert's Nullstellansatz [30] that f(X) is divisible by det(X CT0 ), where X ao denotes the primary 
m x rre minor of X. Specifically, let X be the variety consisting of X's with singular primary 
minors. It is the zero set of the polynomial det(X CTo ). By E2 (1), f{X) vanishes on X. Hence, 
it follows from Hilbert's Nullstellansatz that f(X) r , for some positive integer r, is divisible by 
det(X ao ). Since det(X ao ) is irreducible, it follows that det(X ao ) divides f(X). 

Remark: The above special case of Nullstellansatz has an elementary proof. Specifically, let 
X G X be a "generic" matrix with singular primary minor. Here generic means all entries of 
X are algebraically independent except (say) the top-left, which is a rational function of the 
remaining entries of X in such a way that the determinant of the primary minor of X is zero. 
Then since f{X) vanishes on X and the determinant is irreducible, it is easy to show that 
det(X ao ) divides f(X). 

Since, by El, f{XB) = f{X) for every B G K, it now follows that f(X) is divisible by 
det a (X), for every a. That is, f(X) is divisible by E{X). It follows from El, by letting 
A = XI G GL n (C), that f(XX) = X d f{X), for any A G C, where d = mk m is the degree 
of E(X). This means f{X) is a homogeneous polynomial of the same degree as E(X) and is 
divisible by E(X). Hence, it is a constant multiple of E{X). This proves (a). 

(b) Now suppose that e{X) is any nonzero polynomial satisfying El' and E2. It follows as above 
that e(X) is divisible by E(X). By El', e(AX) = e(X) for any A G SL n (C). Hence, by the first 
fundamental theorem of invariant theory [9J [37], e(X) can be written as a polynomial in the 
m x m minors of X. Since e(XB) = e{X) for any B G K and E(X) divides e(X), (b) follows. 
Q.E.D. 
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6 The stronger form of the NP % P/poly conjecture 



Before turning to the proof of the flip lemma and theorems, we prove in this section Proposi- 
tion [2]2] following the same notation as in Conjecture 12.11 

Let a : F p — > F p be the Frobenius automorphism x — > x q . For x E F p , let 

l-l 1-1 
trace(x) = o-\x) = ^ x<1% 

i=0 i=0 

denote its trace. It is known (Theorem 5.2 in chapter 6 in |15j ) that the bilinear form trace(xy), 
x,y E F p , is nondegenerate. Fix a basis B = {h}, < i < I — 1, of F p over F q . Let {b*} denote 
its dual basis with respect to the trace form. For any x E F p , let Xj's denote its coefficients in 
the basis B. Then xi = trace(6*x). Hence, for any fixed i, xi E F q can be computed by an 
arithmetic -F p -circuit (with input x) of 0(l 2 ) = poly(n) size. Furthermore, since q = poly(n), 
a bit representation of Xi can be computed by an F ? -circuit of poly(n) size using Lagrange 
interpolation. Thus, given x E F p , all bits of all x^s can be computed by an arithmetic Fp- 
circuit of poly(n) size. 

Now let e(X) = E(X) P ~ 1 . Then e(X) is 1 iff E{X) is nonzero, and it is zero otherwise. Thus 
e{X) is a boolean function that belongs to co-NP. So to prove the usual nonuniform P ^ NP 
conjecture over the boolean field, it suffices to show that e{X) can not be computed by a boolean 
circuit of poly(n) size, when the input to the circuit consists of the bits of the coefficients of 
Xij (the entries of X) with respect to the basis B. Suppose to the contrary that such a circuit 
C exists. Then using C we can construct an arithmetic circuit C over F p of polynomial size 
computing e(X). Specifically, we compute the bits of the coefficients of Xij with respect to the 
basis B by small circuits as above and then feed these bits to C. By Conjecture 12.11 such a small 
C for computing e(X) = E(X) p ~ l cannot exist. A contradiction. This proves Proposition 12.21 

7 Flip in the weak arithmetic setting 

In this section we prove Lemma 14.11 and Theorem 14.21 
7.1 Proof of Lemma 14.11 

Proposition 7.1 fT3\j The problem of deciding if a given arithmetic circuit C over Z computes 
the permanent belongs to co — RP. 

Original proof: We first recall a proof from |13] and then give a new proof based on the property 
(P) that is crucially needed for proving Fl (b). 

Given a circuit C = C n that is supposed to compute perm(X), dim(X) = n, we get a circuit 
Ci, 1 < i < n, for computing perm(y), dim(Y) = i, by putting Y in the lower right corner of 
X, specializing the remaining diagonal entries of X to 1, all others remaining entries to zero, 
and evaluating C n on this X. 
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Let Ci(Y) denote the value computed by Cj on input Y. Then C n computes perm(X) if and 
only if for all 1 < i < n 

i 

c i (Y) = Y,njC i - x (yfi, (i) 

where Y is an i x i variable matrix with variables y^i, and Yj the j-th minor of Y along the first 
row, and 

Ci(y) = y. (2) 

This is the usual downward self reducibility of the permanent. Testing if Cj's satisfy (JT]) and ^ 
is an arithmetic circuit (polynomial) identity testing problem (over Z), which belongs to co-RP 

mi- 

New GCT proof. By the property (P), C(X) = perm(X), up to a nonzero constant multiple, if 
and only if 

C{X) + 0, (3) 

identically as a polynomial, 

C[eiX) = C(X) and C{X<a) = C(X), for alH < n, (4) 

where e, denotes an elementary permutation matrix (which permutes the ith and (i + l)-st 
positions), and 

C(fiX) = p(fi)C(X) and C(X/i) = pQi)C(X), (5) 
where fx denotes a diagonal matrix, and p(fM) is the product of its diagonal entries. 

Testing if C{X) satisfies ([3])-([5]) is again an arithmetic circuit identity testing problem over 
Z, which belongs to co-RP. Q.E.D. 

7.1.1 Proof of Lemma 14.11 (1) 

Now consider the second (new) co-RP algorithm in the proof above to test if C computes 
perm(X). This algorithm works in expected time <m' = m c , where c > 1 is some fixed constant. 
Assuming E does not have sub exponential size circuits, it can be derandomized as follows. 
Article [T2] gives, under this assumption, a poly(n, m) time computable pseudorandom generator 
g that takes a random seed of I = O(logm) bit size and produces a pseudorandom sequence 
of length m c that fools any small circuit of bit size < m c . Consider the computational circuit 
corresponding to the above co-RP algorithm for testing if C computes perm(X). Feeding the 
pseudorandom sequence generated by g to this circuit in place of the random bits, cycling over all 
poly(m) possible seeds, and then taking a majority vote, we get a poly(n, m) time algorithm A for 
testing if C computes perm(X). (For this argument, we only need derandomization of polynomial 
identity testing, instead of the strong assumption that E does not have subexponential size 
circuits; cf. Section [7.41 for further discussion.) 
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A crucial property of A is that it is nonadaptive. This means the queries generated during 
its execution do not depend on C at all. Here a query specifies an X on which ([3]) is tested, or 
an X and i on which the equation (HD is tested, or a fj, and an X on which (0) is tested. Let 
Qn,m denote the set of poly(n, to) queries generated in A when the input to A is a circuit C of 
bit size < to. Nonadaptiveness means Q n ^ m depends only on n and m but not on C at all. 

Assuming that perm(X) cannot be computed by a circuit of bit size m = poly(n), it follows 
that, when to = poly(n), then for every C of bit size < to, Q n ,m contains a query on which an 
algebraic identity test based on ([3]), (jlj) or ([5]) fails for that C. Let S^m be the set of all inputs 
X's on which C is evaluated during the testing of all queries in Q n>m . Specifically, fix a query q 
in Qn,m- Suppose this query requires testing of the first equation in (jlj) for some fixed i < n and 
X = X q for some input X q , the argument for the second equation being similar. Then during the 
course of testing this equation for this query, we evaluate C on X q as well eiX q (The evaluation 
in the co-RP algorithm [11] for algebraic identity testing works modulo a large enough prime 
to keep the bit sizes under control. But this makes no difference in the argument that follows.) 
So there are two values of X (namely X q and eiX q ) on which C is evaluated during the testing 
of this query. Let S q = {X q ,eiX q } and add both elements in S q to S n>m for this query. If the 
query q requires testing of the first (say) equation in ([5]) on some fixed value \i q of fi and X q of 
X, then we let S q = {X q , fi q X q }, add both X q and \i q X q to S n ^ m . If the query requires testing 
of ([3]) on some X q , we let S q = {X q }, and add X q to S njm . Thus S niin = U q S q contains a set 
of poly(n, m) n x n matrices. Because Q n ^ m contains, for every C of bit size < to, a query on 
which the associated algebraic identity test fails, it follows that S ntm also contains, for every 
circuit C of bit size < to, a matrix Xq on which C{Xc) 7^ perm(Xc). Thus S n ^ m is a small 
global obstruction set against all circuits of bit size < to. Furthermore, using the algorithm A, 
we can compute S n ^ m in poly(n, to) time. This proves statement (1) of Lemma 14.11 

7.1.2 Proof of Lemma S3] (2) 

Now we turn to the construction of the obstruction family O = O n)Tn as needed in the statement 
(2) of Lemma [4. 11 Let m! = m c be the bound on the running time of A as above. Let I = b log m, 
for a large enough constant b > c. For small m (i.e. m = poly(n)), let O n ^ m be the set of all 
(log m 1 , a log m)-designs within the set {1, . . . , I}, for a large enough constant c < a < b. Here by 
a (k, redesign within {1, . . . , I}, we mean [32] a collection of sets {Ti, . . . , T m /}, Tj C {1, . . . , /}, 
such that (1) for all i, |Tj| = r, and (2) for all i ^ j, |Tj C\Tj\ < k. Each such design s can 
be specified by an m! x / boolean adjacency matrix whose i-th row specifies Tj (by letting its 
j-th entry be one if Tj contains j and zero otherwise). The bitlength (s) of this specification is 
0(m! log to) = 0(poly(n, to)). This s in O n ^ m is short if to is small. It is easy to see (from the 
proof of Lemma 2.6 in [32]) that the total number of such designs is > 2 n ^ m ^ = 2 n( - m lo s m ). 

We now verify that this construction satisfies F0-F4. For the proof of F2 we will need a 
complexity theoretic conjecture. 

FO: This is clear by the preceding remark on the number of designs. 

Fl (a): It follows from the results in [12] that, for each design s € O nm , there exists a poly(m)- 
time computable pseudo-random generator g(s) that takes a random seed of I = O(logm) bit 
length and produces a pseudorandom sequence of bit length to' = m c that fools any circuit of 
bit size < to'. When to is small (and thus s is short), using this pseudo-random generator g(s) 
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in place of the pseudo-random generator g above, we can compute a small global obstruction set 
S n ,m(s) in poly(n,m) time, so also the associated set Q n ,m(s) of queries. This proves Fl (a). 

Fl (b): Given n, m = poly(ra), a short s, and a circuit C, Q n ,m(s) is guaranteed to contain a 
query q on which C fails, and this query q can be computed in poly(n, m, (s)) = poly(n, m) time. 
Let Sq(s) be the associated set of X's on which C is evaluated during the testing of this query. 
The size of S q (s) < 2. Let SVi^c^s) = S q (s). Clearly it too can be computed in poly(ra, m) 
time. 

F3: Given a design s 6 O n)Tn specified as an m! x / adjacency matrix, whether it is a valid 
(log m/, alog?n) design within {1, ...,/}, I = felogm, can be clearly verified in poly(n,m) time. 

F4: Lemma 2.6 in |32] gives an algorithm to compute one such valid design in poly(n, m) time. 

F2: This follows from: 

Conjecture 7.2 The pseudorandom generator g(s) given by under the assumption that 
E does not have subexponential size circuits has the following additional property: for a fixed 
constant c, and large enough constants a > c and b > a, O n>m contains 2^( m ) mutually disjoint 
s's (as we would expect if s's are sufficiently (pseudo) -random). Here we say that s,s' are 
mutually disjoint if S ntm {s) and S n ^ m {s') are mutually disjoint. 

This is a slightly strengthened version of the following conjecture that only depends on the 
complexity class E, and not on the permanent vs. determinant problem or the property (P). 

Let R m (s) denote the set of pseudorandom sequences of length m c produced by g(s) as the 
seed ranges over all possible bit-strings of length I = b log m. 

Conjecture 7.3 The pseudorandom generator g(s) given by jlty under the assumption that 
E does not have subexponential size circuits has the following additional property: for a fixed 
constant c, and large enough constants a > c and b > a, the collection {Rm(s)}, s S O n ,m; 
contains at least 0(2^( m )) mutually disjoint sets. 

Each string in R m (s) contributes poly(ra) X's to S n)m (s), instead of just one, and hence 
disjointness of Sn.m^'s in Conjecture 17.21 is a bit stronger than disjointness of R m (s) , s above. 
Conjectures 17.21 and 17.31 stipulate pseudo-randomness of the generator in [12] with respect to a 
new measure in addition to the usual one used there. 

7.1.3 Proof of Lemma ED (3) 

This is similar to that of Lemma 14.11 (1) and (2). 
This finishes the proof of Lemma 14.11 

7.2 Characterization by symmetries vs. self reducibility 

It is illuminating to consider what happens if we use in the preceding proof the first (original) 
co-RP algorithm in the proof of Proposition 17.11 instead of the second (new) one as we did. 
Then we cannot prove Fl (b). Because each query to test ([1]) in Proposition 17.11 requires 0(n) 
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evaluations of the circuit C. Hence the size of S n)Tri) c{s) in this case would be 0(n) and not 
O(l) as needed in Fl (b). Thus the new co-RP algorithm is crucial to bring down the size of 
m ,c(s) from 0(n) to 0(1). 

In the context of the arithmetic P vs. NP problem that we turn to next, characterization 
by symmetries is even more important. Because in this context we do not know how to use 
downward self-reducibility to prove any any flip theses. Specifically, the best result based on 
downward self reducibility for the usual nonuniform P vs. NP problem is the one in [3], which 
as we already discussed after Theorem 14.21 does not efficiently yield a global obstruction set 
against all circuits (i.e., cannot even satisfy Fl (a)). This is akin to a similar phenomenon 
that has already been observed in complexity theory: namely, we know how to use random self 
reducibility to reduce worst case hardness to average case hardness in the context of the #P vs. 
P problem, but not in the context of the P vs. NP problem, and indeed, there is compelling 
evidence [U [6] that the usual reduction strategies based on self reducibility would not work in 
the context of the P vs. NP problem. 

7.3 Proof of Theorem [4721 

For these reasons, Theorem 14.21 proved in this section is the main result in the weak arithmetic 
setting. 

The following is the analogue of Proposition 17.11 in this case. 



Proposition 7.4 The problem of deciding if a given arithmetic circuit C over Z computes E{X) 
belongs to co — RP. 



Proof: For any y £ C, and i ^ j, let eijiy) denote an elementary n x n matrix with l's on 
the diagonal, y in the (i,j)-th place, and zeroes everywhere else. By the proof of Guassian 
elimination, any matrix in GL n (C) can be written as a product of elementary matrices, where 
by an elementary matrix we mean a matrix of the form eij(y), or a diagonal matrix, or an 
elementary permutation matrix (that swaps some fixed two rows or columns). The total number 
of types of elementary matrices is clearly 0(n 2 ). Fix an explicit set {/*} of generators for the 
group K (defined before the statement of Theorem I5.ip so that the total bit length of their 
description is 0(poly(n)). 

By property (E) as per Theorem 15.11 C(X) = E(X) up to a nonzero constant multiple if 
and only if 

E(X) ? (6) 

identically as a polynomial, 



for any elementary matrix e, 



and 



C{eX) = C(X), 

C(X) = C(Xfj), for all j, 
C(X) = 



(7) 

(8) 
(9) 
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for any X such that, X\, for each i < m, is a vector with 1 in the i-th location and zero 
everywhere else, and the m-entry of X^ is zero. This last condition tests the property E2 (2). 

Testing if C(X) satisfies ©-([9]) is an arithmetic circuit (polynomial) identity testing problem 
over Z, which belongs to co-RP. Specifically, to test ([6]) we choose X randomly. We need to test 
([7]) separately for each type of e. If e is of the type eij(y), we choose y randomly and test ([7]) by 
choosing X randomly. Similarly if e is diagonal. If e is an elementary permutation matrix, we 
just have to choose X randomly. Similarly for (J5J). For testing Q, we have choose X randomly 
subject to the condition on X specified there. Q.E.D. 

Testing (J7J) for a given elementary e and a given X requires only 0(1) evaluations of the 
circuit C, and similarly for ([6]), (jHJ) and (jHJ), just as in the case of Q, flU) or (j5J). The rest 
of the proof of Theorem 14.21 is now like that of Lemma 14.11 using Proposition 17.41 instead of 
Proposition 17.11 

For the proof of F2, the following conjecture plays the role of Conjecture 17. 21 

Conjecture 7.5 Analogue of Conjecture \ 7. 2\ holds assuming that S njm (s) is defined using (de- 
randomization) of the algorithm in Proposition \7.4\ instead of the one in Proposition ]?. 1\ 

This finishes the proof of Theorem 14.21 

7.4 Derandomization of black box polynomial identity testing 

The proofs of Lemma [4. II and Theorem l4.2l above also go through if instead of assumming that E 
does not have sub exponential size circuits, we assume instead that black box polynomial identity 
testing [H [13] can be derandomized. By this we mean that there exists a family % = ^n,mHn,m 
such that: 

1. Short: Each element h of H nm is a short hitting set pQ against all arithmetic circuits over 
X = (xi, . . . , x n ) of bit size < m. By a short hitting set h we mean a set {Xi, . . . , Xi}, 
I = poly(m), of inputs of total bit size 0(poly(ra, m)) such that for every circuit C of total 
bit size < m that computes a nonzero polynomial, h contains an input Xc = Xi, i < I, 
such that C(X C ) + 0. 

2. Rich: H n>m contains at least 2 r2 ( m ) pairwise disjoint hitting sets. 

3. Easy to verify: Given n,m and h, whether h £ E n ,m can be verified in poly(n, m, (h)) 
time, where (h) denotes the bit length of h. 

4. Easy to construct: Given n and m, a short h € E n ,m can be constructed in poly(n, m) 
time. 

The proof of Lemma 14.11 shows that this derandomization hypothesis holds if E does not 
have subexponential size circuits. We leave the details of reworking the proofs of Lemma 14.11 
and Theorem 14.21 with this less stringent derandomization hypothesis, instead of the assumption 
about E, to the reader. No additional conjectures such as Conjecture 17.21 or 17.51 are needed in 
this case. 
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Derandomization of black box polynomial identity testing is roughly equivalent to proving 
subexponential arithmetic circuit size lower bounds for multilinear functions in E\ cf. Section 
7.3 in [p3] and Section 5 in pQ. The notion of derandomization here is a bit stronger than that 
in [TJ [13] . But the proofs there can be extended to this stronger setting easily. 

7.5 Proofs of Lemma 14.41 and Theorem [4751 

This follows by uniformizing the proofs of Lemma l4.1l and Theorem 14.21 We omit the details. 

8 Flip in the arithmetic setting 

In this section we prove Theorem 14.31 

8.1 Strong derandomization hypothesis 

We begin by specifying the strong derandomization hypothesis mentioned in the statement of 
Theorem 14.31 It is a natural generalization of the derandomization hypothesis in the weak 
arithmetic setting described in Section 17.41 

Let C be an arithmetic circuit over X = (x±, . . . , x n ) of size < m. Let S = [1, 2 m ] be the 
set of integers between 1 and 2 m (say). Since the degree of C(X) is < 2 m , by the standard 
lemma [34] . the result of evaluating C is nonzero with a high probability if X is assigned a 
random element in S n . It is critical here that the size of S does not depend on the bitsize of 
the constants in C, since we are allowing arbitrary constants from C in C. Indeed, constants 
may not even have specifications of finite bitlength if they are transcendental. Now we have a 
natural randomized polynomial time algorithm in the complex- RAM model for deciding if C(X) 
is identically zero: (1) pick a random element in S n , (2) evaluate C(X), (3) say no if C(X) is 
not zero, and (4) yes otherwise. In the complex-RAM model each memory location contains 
a complex number, and each arithmetic operation (+,—,*) is unit-cost. This is a black-box 
algorithm in the sense that it treats the circuit C as a black-box subroutine. 

The derandomization hypothesis in the arithmetic setting is that this black box polynomial 
identity testing can be derandomized. By this we mean that there exists a family 1~l — ^n,mHn,m 
such that: 

1 . Short: Each element h of H n ^ m is a short hitting set [TJ against all arithmetic circuits over 
X = (xi, . . . , x n ) of size (rather than bit size) < m. By a short hitting set h we mean a set 
{X±, . . . ,X[}, I = poly(n, m), of inputs of total bit size 0(poly(n,m)) such that for every 
circuit C of size < m that computes a nonzero polynomial, h contains an input Xc = Xi, 
i < I, such that C{X C ) + 0. 

2. Rich: H nm contains at least 2^( m ) pairwise disjoint hitting sets. 

3. Easy to verify: Given n, m and h, whether h E -ffn, m can be verified in poly(n, m, (h)) 
time, where (h) denotes the bit length of h. 
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4. Easy to construct: Given n and m, a short h 6 -£f njm can be constructed in poly(n, m) 
time. 

Lemma 8.1 The arithmetic derandomization hypothesis above holds assuming that E does not 
have subexponential size circuits, or less stringently, that analogous derandomization hypothesis 
holds over F p , with the bitlength (p) = 0(m 2 ), say. 

The derandomization hypothesis over F p is just like the arithmetic derandomization hypoth- 
esis above with the arithmetic circuits of size < m replaced by circuits over F p of size < m, and 
requiring each input in the hitting set to be over F p instead of Z. 

Proof: From the proof of Lemma 14.11 it follows (after appropriate modifications) that the deran- 
domization hypothesis over F p holds assuming that E does not have subexponential size circuits. 
Since each arithmetic circuit over Z corresponds to a circuit over F p obtained by reducing it 
modulo F p , the derandomization hypothesis over F p implies the arithmetic derandomization 
hypothesis over Z. Q.E.D. 

The strong arithmetic derandomization hypothesis in the strong arithmetic setting is ob- 
tained by letting C(X) in the arithmetic hypothesis above be any function that can be approx- 
imated infinitesimally closely by circuits of size < m. Thus the hitting set is now against all 
functions that can be approximated infinitesimally closely by circuits of size < m. 

8.2 Proof of Theorem [4731 

We now describe how to extend the proof of Theorem 14.21 to that of Theorem 14.31 We only 
consider Theorem 14.31 (a), since (b) is very similar. 

The conditions FO-4 in Theorem 14. 31 can be proved just like those in Theorem [472] in the weak 
arithmetic setting, letting the (strong) arithmetic hardness conjecture play the role of the weak 
arithmetic hardness conjecture, and letting the (strong) derandomization hypothesis above play 
the role of the weak derandomization hypothesis in Section 17.41 

What remains to prove then is the property G. We turn to this next. 

We follow the terminology in the statement of the property G in Section 13.21 Thus, given 
s G O 

n,mi S n ^ m (s) — {^i, • • • ,X{\, I — poly(n, m), denotes the small glbal obstruction set as in 
Fl (a). The space V is the space of polynomial functions in X of degree < d = 2 m , and S njm is 
the set of the functions in V that can be computed by arithmetic circuits of size < to. 

Let z be an additional homogenizing variable. Given any g(X) € V, let g'(z,X) denote the 
homogeneous polynomial of degree precisely d = 2 m obtained from g(X) by homogenizing it 
using z. Let V denote the space of homogenizations of the polynomials in V. Let Y>' n m C V' 
denote the set of all constant multiples of homogenizations of all polynomials in S nm . This set 
is homogeneous; i.e. if g'(z, X) G S^ m , then ag'{z,X) €'E' nm for all a € C. Let perm'(z,X) = 
z d ~ n perm.(X) £ V' be the homogenization of perm(X). Let tp' = i^' s : V — > C' denote the 
homogeneous linear map such that for any g'{z,X) € V', and any i < I, 

^(</(^))* = </U, **)• 

In other words, ip' s (g'(z, X)) is simply the Z-tuple of evaluations of g'(z, X) at various Xj's, letting 
z = 1, and ijj' s (g' (z, X))i denotes the z-th entry in this tuple. 
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It is easy to show that any g'(z,X) £ T,' n m can be computed by an arithmetic circuit 
over C with input z and X and of size < m! = bm 2 for some large enough constant b. (The 
proof proceeds by induction on the depth of the circuit computing g'(z,X).) Hence it follows 
from the strong arithmetic hardness conjecture for perm(X) that perm'(z, X) does not belong 
to the closure T,' n m of S n m in the complex topology. Assuming the strong derandomization 
hypothesis (cf. Section I8.ip . it follows as in the proof of Fl in the strong arithmetic setting 
above, that, for any s € O njm i, S ntm /(s) is also a global obstruction set against all functions in 
S^ m . Specifically, this means that -^(perm' (z, X)) g" ip' s (Y,' n m ) . Replacing O n ^ m by O njUl i in 
the obstruction family O, we will assume, without of loss of generality, that, for any s € O n>m , 
S n ,m(s) is a global obstruction set against all functions in S^ m . This means 

#(penn'(z,X))^(^„,J (10) 

for any s € O n , m . 

Let P(V) be the projective space of lines in V' through the origin. Let P(C') be the similar 
projective space associated with C'. Let P(S^ m ) C P(V) denote the projective set associated 
with S^ m . We can assume, without loss of generality that, for any function g'(z,X) in £^ m , 
S n ,m(s) contains a matrix Xq such that g'(l,Xc) ^ 0; i.e., ip' s (g'(z, X)) is not an identically 
zero tuple. This is because the test for the property (P) also includes the test that the function 
under consideration is not identically zero (cf. eq.©), and S nim (s) is constructed on the basis 
of the property (P). Thus ip' s gives a well defined map from P{T,' nm ) to P(C l ). We denote this 
map by ^' s . We can also assume without loss of generality that each S njm (s) contains an identity 
matrix. Since the permanent of the identity matrix is one, this means ^(penn (z, X)) is also 
not an identically zero tuple. We denote the point in P(C') corresponding to ^(perrr/^, X)) 
by ^(perm 1 (z, X)). Thus, by eq. (fT0l) . 

^(perm'(z,X)) ^(P^J) C P(C l ) (11) 

for any s € O n , m . 

To prove the property G for the permanent function, it suffices to show that ip' s (peim.' (z , X)) 
does not belong to the closure of ip' s (T,' n ^ m ) in the complex topology. This is equivalent to showing 
that ^(perm'(z, X)) does not belong to the closure of ip' s (P(T,' n m )) in the complex topology. 
By eq. ljlip . this follows from the following. 

Lemma 8.2 The set %l)' s {P{Ti' nrn )) C P(C l ) is already closed in the complex topology. 

Fix n,m and s G O n ^ m . For simplicity, we drop the subscripts s,n and m. Thus we denote 
$ s by i>', by £', and by 

To prove lemma [8?2l we need the following lemma. 

Lemma 8.3 The set S' C V' is an algebraic variety (possibly reducible); i.e. the zero set of 
finitely many polynomials in the coordinates ofV. 

Proof: This follows from the following two facts from classical algebraic geometry: 
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(1) The set Ecy and hence the set £' C V' is a constructible set. (A set is called constructible 
(cf. Definition 2.30 in |30j ) if it can be expressed as a disjoint union T\ U ■ ■ ■ U where each 
Tk = T' k — Tfc for some algebraic variety and its subvariety T'£ CT^.) 

This can be proved as follows. Fix an uninstantiated circuit D of size < m. By an unin- 
stantiated circuit, we mean the nodes of D are labelled with the operators +, — and *, and 
the leaves are labelled by either the variables x^s, or constant parameters ai,...,a,j, for some 
j < m. Clearly there are only finitely many uninstantiated circuits for given m. Fix any such D. 
Let Ti£> C V be the set of all functions that can be computed by some instantiation of D; i.e., 
by assigning specific complex values to the constant parameters a\, . . . ,aj. Clearly, £ = U£d. 
So it suffices to show that £d is constructible. With D, we can associate an affine algebraic 
variety as follows. Associate a new variable y u with every internal node u of D. (The leaves 
of D are already associated with either variables a^'s or constant parameters a r 's). Say the 
internal node u is *, and u\ and U2 are its children, possibly leaves. Then corresponding to u, 
we have an equation y u = y Ul * y U2 . Let II jy denote the affine variety defined by all the equations 
associated with the internal nodes. Then T,d is the projection of Hp into V. (This corresponds 
to elimination of all variables for the internal nodes and the parameters a±, . . . , a,). Now (1) 
follows from the fact (cf. Proposition 2.31 in [30J ) that the image of any affine variety under a 
regular (polynomial) map is a constructible set. It need not be closed. See Chapter 2C in [30] 
for the pathologies that can happen. This is the main problem that we have to deal with in the 
rest of the proof. 

(2) The closure in the complex topology coincides with the closure in the Zariski topology (cf. 
Theorem 2.33 in [30]). 

Specifically this implies the following. Since by (1), £' is a constructible set, its closure £' 
in the complex topology is an algebraic variety (possibly reducible-we do not require a variety 
to be reducible in what follows). Q.E.D. 

Since £' is homogeneous, its closure £' C V' is also homogeneous. In conjunction with 
lemma [831 this means £' is a homogeneous algebraic subvariety of V. Hence -P(S') is a projec- 
tive subvariety of P{V'). Consider the morphism = i[)' s from -P(S') to P(C') defined earlier. 
To prove Lemma 18.21 it suffices to show that i/j'(P(T>')) is a projective subvariety of P(C l ). 
This follows from the fact that the image of a morphism from a projective variety to another 
projective variety is closed (cf. Corollary 14.2 in [5])-this is a consequence of the main theorem 
of elimination theory (cf. Theorem 14.1 in [5]). This proves Lemma 18.21 

Now the property G follows. This proves Theorem 14.31 (a). 

9 Implication in algebraic geometry 

The algebraic variety T,' n m associated above with the class of functions computable by small 
arithmetic circuits is rather wild and hard to study. The article GCT1 associates another variety 
with this class of functions. It is called the class variety associated with the complexity class 
P. Unlike S^ m , it has a natural action of the general linear group GL m 2(C). This makes 
it possible to study it using the techniques of geometric invariant theory [31 . The article 
GCT1 also associates similar class varieties with other complexity classes, namely, NC, NP 
and #-P. Theorem 14.31 implies that a formidable explicit construction problem associated with 
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these class varieties can be solved (in polynomial time) assuming the strong arithmetic hardness 
and derandomization hypotheses under consideration. To see this, one simply has to rephrase 
Theorem 14.31 in terms of these varieties. We do it in this section for the case of the strong 
arithmetic permanent vs. determinant problem, the other cases being similar. 

Towards that end, we first recall the class varieties associated by GCT1 with the complexity 
classes NC and jf=P. Let Y be an m x m variable matrix. We think of its entries, ordered 
say rowwise, as coordinates of y = C r , r = m 2 . Let V = C[Y] m be the space of homogeneous 
polynomials of degree m in the variable entries of Y. It is a representation of G = GL{y) = 
GL r (C) with the following action. Given any a G G, map a polynomial g(Y) G V to g a (Y) = 
9(^HY)): 

a:g{Y)^g{a~ l Y). 

Here Y is thought of as an m 2 -vector by straightening it rowwise. 

Similarly, let X be an n x n variable matrix, whose entries we think of as coordinates of 
X = C™ after ordering them rowwise. Let W = C[X] n be the space of forms (homogeneous 
polynomials) of degree n in the entries of X. It is a representation of H = GL(X) = GL n 2(C). 

Let P(V) be the projective space of V consisting of the lines in V through the origin. 
Let P(W) be the projective space of W. Identify X with an n x n submatrix of Y, say, 
the bottom-right minor of Y, and let z be any variable entry of Y outside X. We use it as a 
homogenizing variable. Define an embedding <p : W V by mapping any polynomial h(X) G W 
to h^(Y) = z m ~ n h(X). This also defines an embedding of P(W) in P(V), which we denote by 
(f) again. 

Let g = det(y), thought of as a point in P(V) (strictly speaking the line through det(Y) is 
a point in P(V), but we ignore this distinction here). Similarly, let h = perm(X) G P(W), and 
f = h* = perm^(Y) G P{V). 

Let 

A v [g,m] = A v [g] = Gg_C P(V), 

A w [h,n] = A w [h] = Hhop(W), (12) 

A v [f,n,m] = A v [f] = ~Gf C P(V), 

where Gg denotes the projective closure of the orbit Gg of g, and so on. Then, it follows from 
classical algebraic geometry as in the proof of Lemma 18.31 that Ay[j,m] and Ay[/, m, n] are 
projective varieties. Furthermore, it can be shown that they are projective G- varieties, i.e., 
varieties with a natural action of G induced by the action on the G-orbits. Similarly, A^y[^,7T,] 
is a projective H- variety. We call A[f,n,m] the class variety of the complexity class j^P since 
the permanent is ^P-complete [36], and A[g,m] the class variety of the complexity class NC 
since the determinant belongs to NC and is almost complete |36j. 

It is easy to show (cf. Propositions 4.1 and 4.4 in [GCT1]) that if h = perm(X) can be 
expressed linearly as the determinant of an m x m matrix, m > n, then 

A v [f] = A v [f,n,m] C A v [g,m] = A v [g], (13) 

and conversely, if Ay[/,n,m] C Av[g,m], then / can be approximated infinitesimally closely 
by a point in P(V) of the form det(AY), A G G, thinking of Y as an m 2 -vector. The following 
conjecture is thus equivalent to the strong arithmetic permanent vs. determinant conjecture 
stated in Section [2j 
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Conjecture 9.1 (Strong arithmetic form of the permanent vs. determinant conjecture) [GCTlJ 
The point f £ P{V) cannot be approximated infinitesimally closely as above if m = poly{n), and 
more generally, m = 2 log<ln for any constant a > 0. 

Equivalently, if m = poly(n), or more generally, m = 2 log n , a > fixed, n — > oo, then 
A v [f,n,m] £ A v [g,m]. 

We now restate Theorem 14.31 for this equivalent form of the strong arithmetic permanent vs. 
determinant conjecture. 

An obstruction s £ O n ,m will now be against all points (functions) in Ay[g,m\. Specifically, 
the global obstruction set S n)m (s) = {Xi, . . . ,Xi}, I = poly(n,m), will now have the following 
property. Fix any homogeneous polynomial p(Y) in V that belongs to A^^m] (thinking of a 
homogeneous polynomial in V, by an abuse of notation, as a point in P(V)). Then there exists 
a counter example Xi £ S ntTn (s) such that p'(Xi) / perm(Aj), where p'(Xi) is a polynomial 
obtained from p(Y) by substituting zero for all variables in Y other than z and X, substituting 1 
for z, and X{ for X. Equivalently, let ip = tp s : V — > C l be the homogeneous linear map that maps 
any homogeneous piY) £ V to the point in C' corresponding to the tuple (j/(X\, ), . . . ,p'(Xi)). 
As in the proof of Theorem 14.31 in Section 18.21 we can assume, without loss of generality, that 
ip gives a well defined morphism from the projective variety Ay[g.m] to the projective variety 
P(C'). We denote this morphism by ?/? = ip s . Its image is $(A v [g,m\) C P(C'). We can also 
assume, as in the proof of Theorem 14.31 in Section [8.21 that ip(f) (E is not an identically zero 
tuple. Hence it defines a point in P(C l ), which we define by 4>{f). Then that S n ^ m (s) is a global 
obstruction set is equivalent to saying that ijj(f) ^ ijj(Av[g, m]). The notion of an explicit proof 
and FO-4 can now be formulated in this setting in the obvious manner; we omit the details. Note 
that, since ip is a well defined morphism from the projective variety Ay[g,m] to the projective 
variety P(C l ), its image V>(Ay [g, m]) C P(C') is already closed (projective subvariety) in P(C') 
by the main theorem of elimination theory (cf. Corollary 14.2 in [5]). Hence the property G 
follows from FO-4 in this setting immediately by the main theorem of elimination theory. 

The following is a restatement of Theorem 14.31 in this setting. 

Theorem 9.2 (Flip) Assume Conjecture \9.1\ and the strong arithmetic derandomization hy- 
pothesis (cf. Section \8.1\) . Then Conjecture \9. 1\ has an explicit proof satisfying FO-4 an d G as 
above. 

More specifically, for any obstruction s € O nm , there is a linear map ip s : V — > C l corre- 
sponding to the polynomial time computable global obstruction set S nim (s) such that (1) it gives 
a well defined morphism ij) 8 from Ay[g, m] to P(C l ), (2) ip s {Ay[g,m\) is a closed projective 
subvariety of P(C l ), and (3) tp s {f) ^ s (Ay[g,m]). 

Analogous result holds in the context of the strong arithmetic P vs. NP problem, letting the 
similar variety for the class P defined in GCT1 play the role of Ay[g, m] and letting the function 
E(X) play the role of perm(X). 

We call the linear map ip s in Theorem 19.21 an explicit separator between Ay[g,m] and / = 
perm^(Y). We call it explicit because, given s, its specification S ntm (s) can be computed in 
0(poly(ra, m)) time. We call I = poly(n, m) the dimension of i]) a . Thus Theorem 19.21 says that, 
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assuming the strong arithmetic permanent vs. determinant and derandomization conjectures, 
one can construct an explicit family of linear separators of small dimension between Ay[g,m] 
and / = perm^(y). 

It has to be stressed that Theorem 19.21 critically depends on the exceptional nature of / = 
perm^(y) and g = det(Y). If one were to consider general / and g in place of the permanent 
and determinant, the conclusion of Theorem 19.21 will almost never hold. For general / and g, 
a global obstruction set S ntTn that gives a linear separator ip between Av{g,m] and / can be 
constructed (if it exists) by appropriately eliminating dim(V) — r variables. This can be done 
using general purpose algorithms in algebraic geometry for computing multivariate resultants 
and Grobner bases. But these algorithms take J)(dim(V)) space and 0(2 dim ( y )) time. Since 
dim(V) is exponential in n and m, the time taken is at least double exponential in n and m, 
and the total bit length of S nm is exponential in n and m. Nothing better can be expected for 
general / and g, because elimination theory is in general intractable. Specifically, the problem 
of computing the Grobner basis is EXPSPACE-complete [18]. This means it takes in general 
space that is exponential in the dimension of the ambient space, which is P(V) here. In contrast, 
Theorem 14.21 savs that a short specification S nyTn of a linear separator between Ay\g, m] and 
/ = perm^(y), can be computed in poly(n, m) time exploiting the exceptional nature of / and 
g. This may seem unbelievable. 

At present, such explicit separators of small dimension can be constructed in algebraic geom- 
etry only between very special kinds of algebraic varieties, such as the Grassmanian or the flag 
varieties [9], and very special kinds of points. This can be done using the second fundamental 
theorem of invariant theory [9j [37] which gives a very nice explicit set of generators for the ideals 
of these varieties. But these varieties have very low complexity in comparison to Ay[n,m]. For 
example, their complexity, according to a certain complexity measure on (quasi)-homogeneous 
spaces defined in [16] . is zero, whereas that of Ay[g,m] is quadratic in m. Furthermore, they 
are normal, whereas Ay [g,m] is not normal according to a recent result |35j . The problem 
of explicit construction of linear separators when the underlying variety is not normal and its 
complexity is so high seems very formidable and far beyond the reach of the existing machinery 
in algebraic geometry. Theorem 19.21 says that such formidable explicit construction problems 
in algebraic geometry are hidden underneath the hardness and derandomization hypotheses in 
complexity theory. 

10 Flip in the boolean setting 

To get an efficient pseudorandom generator, it does not suffice to just assume that P ^ NP. 
One needs a stronger average case assumption, namely, existence of one way functions. Similarly, 
to get a flip theorem in the context of the usual (boolean) NP <£. P/poly conjecture, one needs 
to assume a stronger average case form of this boolean conjecture based on characterization 
by symmetries. In this section we state this conjecture (Conjecture 110.31) . The corresponding 
flip theorem (Theorem 110. 5[) then follows as a direct corollary of the main result in [12] on 
derandomization of BPP. 

We begin with a preliminary motivating result in the context of the following strengthening 
of Conjecture 12.31 
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Conjecture 10.1 Analogues of Coniecture \2.3\ and Coniecture \2. 1\ hold for any integral nonzero 
e{X) with the properties El' and E2 as in Theorem I5.il (b). 

This gives a purely group-theoretic definition of hardness in the context of the arithmetic P 
vs. NP problem. 

Theorem 10.2 (Flip for property El) Analogues of Theorems \4-2\ and \4-3\ hold for any 
nonzero integral e{X) with the properties El' and E2 (as in Theorem \5.1\ (b)). 

This is proved just like Theorems 14.21 and 14.31 with Conjecture 110.11 playing the role of 
Conjecture 12.31 and the property El' the role of El. 

Now we turn to the boolean setting. The following is a stronger form of the NP % P/poly 
Conjecture. 

Let S be the set integers of bit length at most n 3 (say). Let C be a boolean circuit whose 
input is the bit specification of X with entries in S. Let A be a co-RP algorithm for testing if C 
has properties El' and E2 akin to the algorithm in the proof of Proposition 17.41 (for testing El 
and E2) with the following difference. Whenever we used a random number in that algorithm, we 
use a random integer of bitlength at most ra 3 /3, and instead of standard generators of GL n (C), 
we now use standard generators of SL n (C). 

Conjecture 10.3 (Stronger invariant theoretic average case form of the NP % P/poly conjecture) 

Let C be any boolean circuit of poly{n) bit size whose input is bit specification of X with entries 
in S. Suppose C comes with a promise that prob{C(X) = 0}, X G S, is small, say < 1/n, where 
C(X) denotes the boolean function computed by C. 

Then the algorithm A above for testing if C has properties El ' and E2 says NO with high 
probability (> l/poly(n)). 

The promise is necessary in Conjecture ll0.3l since there exist small circuits with the properties 
El' and E2 that are zero almost everywhere but not everywhere. 

Proposition 10.4 Conjecture \10.3\ implies NP $Z P/poly. 

Proof: Let Eb(X) be the boolean function which is zero if E{X) is zero and one otherwise. 
Clearly Ej,(X) has properties El' and E2. Furthermore, computation of E^{X) is ./VP-complete 
[10j . Hence it suffices to show that any boolean circuit computing Ef,(X) satisfies the promise. 
But the number of zeros of E^{X) is the same as those of E(X). Hence by the Schwarz-Zippel 
lemma, prob{£ 6 (X) = 0}, X G S, is bounded by deg(E(X))/\S\ = n kn2 /2 n " < 1/n. Q.E.D. 

Conjecture 110.31 basically says that the symmetries El' and E2 of E(,(X) are hard to ap- 
proximate on the average. This is an invariant theoretic average case form of the worst case 
assumption that E^{X) is hard to compute (as expected since it is iVP-complete) . It will be 
interesting to study the relationship (if any) between this average case assumption and the 
standard average case assumptions in complexity theory, such as existence of one way functions. 
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Theorem 10.5 (Flip in the boolean setting) Suppose Conjecture \10.3\ holds and also that 
the complexity class E does not have subexponential size circuits ( or less stringently, that the co- 
RP algorithm A above can be derandomized in a black box fashion very much as in Section \l.J$ . 

Then for every n and m = poly(n), it is possible to compute in poly(n,m) = poly(n) time 
a small set S nt7n = {X\,... ,X r }, r = poly(n,m) = poly{n), of n x n matrices with entries in 
S such that for every boolean circuit C satisfying the promise in Conjecture \10.Sh and with total 
bit size < m ( and hence, in particular, for any boolean circuit of size < m claiming to compute 
Eb(X)), S ni m contains a matrix Xc which is a counter example against C (as detected in the 
algorithm A). 

Furthermore, assuming an appropriate stronger form ( analogous to Conjecture \ 7.5\ ) of the 
assumption that E does not have subexponential size circuits, (or less stringently, that the co- 
RP algorithm A above can be derandomized in a black box fashion) Conjecture 1 1 0. S\ and hence, 
NP $Z P/poly conjecture, has an explicit proof -i.e., there exists an obstruction family O satisfy- 
ing F0-F4~except that the obstructions are now only against small circuits satisfying the promise 
in Conjecture \10.SX 

The new ingradient here is formulation of Conjecture 110.31 i- e -i formulation of the conjec- 
turally correct nonadaptive co-RP algorithm algorithm A for finding a counterexample against 
any small boolean circuit claiming to compute E^{X). Once this is done, Theorem ll0.5l is just a 
direct corrollary of the main result in [12] on derandomization of BPP, because the algorithm A 
can be derandomized under standard assumptions therein. This algorithm A is to be contrasted 
with the adaptive probabilistic polynomial time algorithm in [3] for finding a counterexample 
against a small boolean circuit claiming to compute SAT, assuming NP $Z P/poly. 

Let us finish this section with one more variant of a flip theorem. 

Theorem 10.6 (Flip over a finite field) Analogue of Lemma \4.1\ holds over a large enough 
finite field F p , p > 2n (say), instead of Q or C, provided in the definitions of Fl-4 we confine 
ourselves to the circuits with the promise that the polynomials computed by them have the same 
degree as that of perm(X) (otherwise the circuit cannot compute perm(X) for trivial reasons). 

Similar analogue of Theorem \4-S\ holds for hardness of the function E(X) over a large enough 
F p as in Coniecture \2.1[ 

This is also proved like Theorem 14.21 

11 Rigidity 

The proof (cf. Section [7^3]) of the flip Theorem 14.21 works for any function e(X), X = (xi, . . . , x n ), 
over Q in the place of E{X) as long as e(X) has the following properties: 

(1) It is characterized by symmetries in the following sense: 

Definition 11.1 We say that e(X) is characterized by symmetries if it is the only nonzero 
polynomial (up to a constant multiple) with rational coefficients that satisfies a small (poly{n)) 
number of algebraic polynomial identities with integral coefficients (in the spirit of those in the 
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property (E)), each having a specification of poly (n) bitlength and containing O(l) terms. Here 
each identity is of the form 

g(e(Y l ),...,e(Y k )) = 0, 

where g(u±, . . . , u^) is a polynomial computable by a circuit over Z of O(l) size with input Ui 's, 
and each Yi can be computed by a circuit over Z of poly(n) bit size with input X. 

If we only require that each g(ui, . . . ,Uk) be computable by a poly(n) bit size circuit over Z 
with input Ui 's, we say that e(X) is weakly characterized by symmetries. 

The circuits specifying the identities here can be nonuniform. 

(2) e(X) cannot be computed by an arithmetic circuit over Q of poly(n) bit size. 

Here (1) implies that there is a nonadaptive co-RP/poly algorithm for deciding if a given 
arithmetic circuit C computes e(X) (akin to that in the proof of Proposition 17. 4p . where a 
co-RP/poly algorithm means a nonuniform algorithm in the form of a poly(n) size circuit with 
random advice in addition to the usual input. Nonuniformity has to be allowed since the circuits 
specifying the identities in Definition 111.11 can be nonuniform. It is easy to see that the proof of 
the flip theorem goes through even in the presence of such nonuniformity. It also goes through 
even when e(X) is required to be characterized by symmetries in a weaker sense, except that 
Fl (b) need not hold in this weaker setting. 

Proposition 11.2 The number of e{X) overQ) that are characterized by symmetries in a weaker 
sense (DefinitionTUS) is < 2?°^ . 

Proof: This holds because the total bit length of the specification of the identities in Defini- 
tion [TTTT] in terms of small circuits is 0(poly(n)). Q.E.D. 

The proposition implies that the proof technique of the flip Theorem 14.21 which only works 
for functions with properties (1) and (2), is extremely rigid. By this we mean that it only works 
for 2P°^y( n ) number of functions in place of e(X). This is also the case for Flip Theorem 110.51 
in the boolean setting. 

This form of rigidity is extremely severe in comparison to the mild rigidity constraint that 
the natural proof barrier [33| places H on proof techniques for the NP % P/poly conjecture: 
namely, that they should work for less than 2 N /poly(N) number of functions, where N = 2 n is 
the size of the truth-table specification of an n-ary boolean function. 

It is a plausible that any proof of the arithmetic or boolean P vs. NP conjecture (or any 
of the related conjectures under consideration in this paper) has to be extremely rigid. This is 
because by Theorem 14.21 any proof of the (weak) arithmetic P vs. NP conjecture is close to an 
explicit proof. But the explicitness condition seems so severe that any proof that comes even 
close to an explicit proof may work for only rare exceptional functions (like the permanent or 
E(X)). That is, just mildly rigidity which suffices to bypass the the natural proof barrier |33] 
may not be enough, and a proof may be forced to be extremely rigid, like that Theorem 14.21 or 

MM 

2 Ignoring the constructivity condition in [33] 
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